yring_from_id function.
- Put modsig to measurement list if the template requires the signature
contents. (suggested by Mimi).
Thiago Jung Bauermann (7):
integrity: Introduce struct evm_hmac_xattr
MODSIGN: Export module signature definitions.
PKCS#7: Introduce verify_pkcs7_message_sig
This avoids a dependency cycle in CONFIG_IMA_APPRAISE_MODSIG (introduced by
a later patch in this series): it will select CONFIG_MODULE_SIG_FORMAT
which in turn selects CONFIG_KEYS. Kconfig then complains that
CONFIG_INTEGRITY_SIGNATURE depends on CONFIG_KEYS.
Signed-off-by: Thiago Jung Bauermann
.
Signed-off-by: Thiago Jung Bauermann
---
security/integrity/ima/Kconfig| 13 +++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima.h | 60 ++--
security/integrity/ima/ima_appraise.c | 102 ++---
security/integrity/ima
ata, since in most places the array
doesn't hold a digest.
A separate struct evm_hmac_xattr is introduced, with the original
definition of evm_ima_xattr_data to be used in the places that actually
expect that definition.
Signed-off-by: Thiago Jung Bauermann
---
security/integrity/evm/evm.h
Add function verify_pkcs7_message_signature which takes a struct
pkcs7_message for verification isntead of the raw bytes that
verify_pkcs7_signature takes.
This will be used by IMA to verify files with module-style appended
signatures.
Signed-off-by: Thiago Jung Bauermann
---
certs
, and by then the measure step was already
completed and would need to be done again in case the template includes the
signature.
To avoid this problem, do the appraisal first so that the correct signature
is stored by the template in the measure step.
Signed-off-by: Thiago Jung Bauermann
---
security
validate_module_signature without having to depend on
CONFIG_MODULE_SIG.
Signed-off-by: Thiago Jung Bauermann
---
include/linux/module.h | 3 --
include/linux/module_signature.h | 47 +
init/Kconfig | 6 +++-
kernel/Makefile | 2 +-
kernel
IMA will need to obtain the keyring used to verify file signatures so that
it can verify the module-style signature appended to files.
Signed-off-by: Thiago Jung Bauermann
---
security/integrity/digsig.c| 28 +++-
security/integrity/integrity.h | 1 +
2 files
.c:100:40: error: ‘LOCKDOWN_LIFT_KEY’ undeclared (first use
in this function)
lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
^
security/lock_down.c:100:40: note: each undeclared identifier is reported only
once for each function it appears in
--
Thiago Jung Bauermann
IBM Linux Technology Center
g the leak in this case. Fortunately, the
current implementations of arch_ima_add_kexec_buffer() are very simple
and cannot fail, so this is a theoretical problem.
--
Thiago Jung Bauermann
IBM Linux Technology Center
> Signed-off-by: Lakshmi Ramasubramanian
> Suggested-by: Tyler Hicks
> Fixes: 7b8589cc29e7 ("ima: on soft reboot, save the measurement list")
Good catch.
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
8fabc623238e ("powerpc: Ensure that swiotlb buffer is allocated from low
memory")
This is because reverting the commit above also solves the problem on the
machines where I've seen this issue.
--
Thiago Jung Bauermann
IBM Linux Technology Center
| 202
> drivers/of/kexec.c | 240 +
> include/linux/of.h | 2 +
> security/integrity/ima/ima.h | 4 -
> security/integrity/ima/ima_kexec.c | 1 +
> 9 files changed, 244 insertions(+), 248 dele
> arch/powerpc/include/asm/kexec.h | 4 ---
> arch/powerpc/kexec/file_load.c| 60 ---
> arch/powerpc/kexec/file_load_64.c | 4 ++-
> 3 files changed, 3 insertions(+), 65 deletions(-)
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
ch/arm64/Kconfig | 1 +
> arch/arm64/include/asm/kexec.h | 5 +
> 2 files changed, 6 insertions(+)
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
arch/powerpc/kexec/ima.c.
If you prefer to keep the current order, it's worth mentioning on the
commit log where get_addr_size_cells() and do_get_kexec_buffer() are
coming from.
Regardless:
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
; + if (ret < 0)
> + return ret;
> + addr_cells = ret;
> +
> + ret = fdt_size_cells(fdt, chosen_node);
> + if (ret < 0)
> return ret;
> + size_cells = ret;
>
> entry_size = 4 * (addr_cells + size_cells);
Ditto here.
--
Thiago Jung Bauermann
IBM Linux Technology Center
d-off-by: Lakshmi Ramasubramanian
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
op->length, , );
> + if (ret)
> + return ret;
> +
> + ret = of_remove_property(of_chosen, prop);
> + if (ret)
> + return ret;
> +
> + return memblock_free(addr, size);
> +
> +}
> +
> #ifdef CONFIG_IMA_KEXEC
> static int ima_dump_me
> + *
> + * Return: 0 on success, or negative errno on error.
> + */
> +int delete_fdt_mem_rsv(void *fdt, unsigned long start, unsigned long size)
This function can't go in an IMA-specific directory, because it's used
in arch/powerpc/kexec/file_load.c even if IMA isn't enabled.
I'm not sure where would be a good place for it. Perhaps a new file
called kernel/kexec_file_fdt.c?
> +{
> + int i, ret, num_rsvs = fdt_num_mem_rsv(fdt);
> +
> + for (i = 0; i < num_rsvs; i++) {
> + uint64_t rsv_start, rsv_size;
> +
> + ret = fdt_get_mem_rsv(fdt, i, _start, _size);
> + if (ret) {
> + pr_err("Malformed device tree.\n");
> + return -EINVAL;
> + }
> +
> + if (rsv_start == start && rsv_size == size) {
> + ret = fdt_del_mem_rsv(fdt, i);
> + if (ret) {
> + pr_err("Error deleting device tree
> reservation.\n");
> + return -EINVAL;
> + }
> +
> + pr_err("Freed the reserved memory at %lu of size %lu\n",
> + start, size);
This isn't an error. You should change it to a pr_debug() or remove it.
> + return 0;
> + }
> + }
> +
> + return -ENOENT;
> +}
--
Thiago Jung Bauermann
IBM Linux Technology Center
ion is present in the device tree
> for ARM64.
>
> Co-developed-by: Prakhar Srivastava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
Hi Lakshmi,
Lakshmi Ramasubramanian writes:
> On 12/6/20 5:50 PM, Lakshmi Ramasubramanian wrote:
>
> Hi Thiago,
>
>> On 12/4/20 6:22 PM, Thiago Jung Bauermann wrote
>>>
>>> Hello Lakshmi,
>>>
>>> Lakshmi Ramasubramanian writes:
>>
Lakshmi Ramasubramanian writes:
> On 12/11/20 10:19 AM, Thiago Jung Bauermann wrote:
>> Hi Lakshmi,
>> Lakshmi Ramasubramanian writes:
>>
>>> On 12/6/20 5:50 PM, Lakshmi Ramasubramanian wrote:
>>>
>>> Hi Thiago,
>>>
>>>&
c when CONFIG_KEXEC_FILE is enabled is fine. But when
> more functions (such as remove_ima_buffer()) are moved to this file, Makefile
> needs to be updated for other ima kexec related CONFIGs.
IMA kexec is only available if CONFIG_KEXEC_FILE is enabled, so I don't
understand what problem you are seeing.
--
Thiago Jung Bauermann
IBM Linux Technology Center
ec/file_load_64.c | 4 ++--
> 3 files changed, 5 insertions(+), 5 deletions(-)
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
> arm64 version also retries with a bigger allocation. That seems
> unnecessary.
> ---
> drivers/of/Makefile | 1 +
> drivers/of/kexec.c | 228
> include/linux/of.h | 5 +
> 3 files changed, 234 insertions(+)
> create mode 100644 drivers/of/kexec.c
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
Rob Herring writes:
> Signed-off-by: Rob Herring
> ---
> arch/arm64/kernel/machine_kexec_file.c | 123 +
> 1 file changed, 3 insertions(+), 120 deletions(-)
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
Rob Herring writes:
> Signed-off-by: Rob Herring
> ---
>
> After the IMA changes, delete_fdt_mem_rsv() can also be removed.
>
> arch/powerpc/kexec/file_load.c | 125 ++---
> 1 file changed, 6 insertions(+), 119 deletions(-)
Reviewed-by:
---
> arch/powerpc/kexec/ima.c | 17 -
> security/integrity/ima/ima_kexec.c | 22 ++
> 3 files changed, 22 insertions(+), 20 deletions(-)
Reviewed-by: Thiago Jung Bauermann
Just one nit below.
Also, I just noticed that this patch series hasn't been cc'd to t
100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -10,6 +10,7 @@
> #include
> #include
> #include
> +#include
> #include
> #include "ima.h"
This include isn't necessary.
--
Thiago Jung Bauermann
IBM Linux Technology Center
owerpc/kexec/ima.c" to
> "drivers/of/kexec.c" only when CONFIG_HAVE_IMA_KEXEC is enabled.
>
> => Also, compile write_number() and setup_ima_buffer() only when
> CONFIG_IMA_KEXEC is enabled.
Sounds good, with one additional change:
So far, CONFIG_HAVE_IMA_KEXEC was
err:
With this change, setup_new_fdt() is nothing more than a call to
of_kexec_setup_new_fdt(). It should be removed, and its caller should
call of_kexec_setup_new_fdt() directly.
This change could be done in patch 4 of this series, to keep this patch
simpler.
--
Thiago Jung Bauermann
IBM Linux Technology Center
r Srivastava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
> ---
> drivers/of/kexec.c | 57 --
> 1 file changed, 5 insertions(+), 52 deletions(-)
This is a nice improvement, thanks.
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
etions(-)
As I mentioned in the other email, this patch could remove
setup_new_fdt() as well.
I'm a bit ambivalent on whether this patch should be squashed with
patch 2 or left on its own, but I tend toward the latter option because
patch 2 is big enough already.
--
Thiago Jung Bauermann
IBM Linux Technology Center
ons(+), 1 deletion(-)
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
ig
> @@ -1094,6 +1094,7 @@ config KEXEC
> config KEXEC_FILE
> bool "kexec file based system call"
> select KEXEC_CORE
> + select HAVE_IMA_KEXEC
> help
> This is new version of kexec system call. This system call is
> file based and takes
Lakshmi Ramasubramanian writes:
> On 12/22/20 4:19 PM, Thiago Jung Bauermann wrote:
>> Lakshmi Ramasubramanian writes:
>>
>>> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
>>> index 6ebefec616e4..7c3947ad3773 100644
>>> --
Hi Ram,
Thanks for reviewing this patch.
Ram Pai writes:
> On Fri, Dec 18, 2020 at 03:21:03AM -0300, Thiago Jung Bauermann wrote:
>> On server-class POWER machines, we don't need the SWIOTLB unless we're a
>> secure VM. Nevertheless, if CONFIG_SWIOTLB is enabled we
WIOTLB in those cases.
Fixes: eae9eec476d1 ("powerpc/pseries/svm: Allocate SWIOTLB buffer anywhere in
memory")
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/mm/mem.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/mm/mem.c b/arch/powerp
> This one is already present in ima and there's no change in that in my
> patches.
>
> 2, The other one is remove_ima_kexec_buffer() called from setup_ima_buffer()
> defined in "arch/powerpc/kexec/ima.c"
>
> This function removes the "ima buffer" node f
e_ima_buffer() and arch_ima_add_kexec_buffer().
>
> Co-developed-by: Prakhar Srivastava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
> Reviewed-by: Mimi Zohar
These warnings showed up when using `make W=1`, and this patch fixes
them. Thanks!
Revi
.h
> index 9e93bef52968..d0234c4815da 100644
> --- a/include/linux/kexec.h
> +++ b/include/linux/kexec.h
> @@ -407,6 +407,11 @@ static inline int kexec_crash_loaded(void) { return 0; }
> #define kexec_in_progress false
> #endif /* CONFIG_KEXEC_CORE */
>
> +#if defined(CONFIG_OF_FLATTREE)
This would also change to require CONFIG_KEXEC_FILE.
> +extern int delete_fdt_mem_rsv(void *fdt, unsigned long start,
> + unsigned long size);
> +#endif /* CONFIG_OF_FLATTREE */
> +
> #endif /* !defined(__ASSEBMLY__) */
>
> #endif /* LINUX_KEXEC_H */
--
Thiago Jung Bauermann
IBM Linux Technology Center
gt; Co-developed-by: Prakhar Srivastava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
I'd personally squash this patch with the next one, but I'll leave it
just as a suggestion since maintainers are the ones who know best what
works well in this regard.
The co
tava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
Looks good. Thanks!
Reviewed-by: Thiago Jung Bauermann
> ---
> arch/powerpc/kexec/ima.c | 58 +---
> 1 file changed, 7 insertions(+), 51 deletions(-)
>
&
-by: Lakshmi Ramasubramanian
Looks good. Just minor comments below. Nevertheless:
Reviewed-by: Thiago Jung Bauermann
> ---
> arch/powerpc/include/asm/ima.h | 8 ++--
> arch/powerpc/kexec/ima.c | 26 --
> drivers/of/kexec.c | 29 +++
NFIG_IMA_KEXEC is enabled and remove "#ifdef CONFIG_IMA_KEXEC"
> in arch/powerpc/kexec/ima.c.
Nice.
> Co-developed-by: Prakhar Srivastava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
> Reviewed-by: Mimi Zohar
Reviewed-by: Thiago Jung Bauermann
pc.
>
> Move arch_ima_add_kexec_buffer() to
> security/integrity/ima/ima_kexec.c so that it is accessible for
> other architectures as well.
>
> Signed-off-by: Lakshmi Ramasubramanian
Not sure if the maintainers will agree with me (see below), but FWIW:
Reviewed-by: Thiago Jung Bauermann
>
Update CONFIG_KEXEC_FILE to select CONFIG_HAVE_IMA_KEXEC to indicate
> that the IMA measurement log information is present in the device tree
> for ARM64.
>
> Co-developed-by: Prakhar Srivastava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
Revie
; sme_active() is x86 specific and can't be called from
> generic code on other platforms than x86.
>
> Fixes: 2cc13bb4f59f ("iommu: Disable passthrough mode when SME is active")
> Signed-off-by: Joerg Roedel
Thank you!
--
Thiago Jung Bauermann
IBM Linux Technology Center
Michael Ellerman writes:
> On Tue, 2019-08-20 at 02:13:12 UTC, Thiago Jung Bauermann wrote:
>> Introduce CONFIG_PPC_SVM to control support for secure guests and include
>> Ultravisor-related helpers when it is selected
>>
>> Signed-off-by: Thiago Jung Bauermann
From: Ram Pai
These functions are used when the guest wants to grant the hypervisor
access to certain pages.
Signed-off-by: Ram Pai
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/ultravisor-api.h | 2 ++
arch/powerpc/include/asm/ultravisor.h | 24
e comments. ]
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/boot/main.c | 41 ++
arch/powerpc/boot/ops.h| 2 ++
arch/powerpc/boot/wrapper | 24 +---
arch/powerpc/boot/zImage.lds.S | 8 +++
4 files changed, 72 insert
Helps document what the hard-coded number means.
Also take the opportunity to fix an #endif comment.
Suggested-by: Alexey Kardashevskiy
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/kernel/paca.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/arch
, unsharing
of pages is skipped.
NOTE: While testing crashkernel, make sure at least 256M is reserved for
crashkernel. Otherwise SWIOTLB allocation will fail and crash kernel will
fail to boot.
Signed-off-by: Ram Pai
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/ultravisor
|
+---+---+---+---+
| 0 | 1 | 1 | Problem (HV) |
+---+---+---+---+
Signed-off-by: Sukadev Bhattiprolu
Signed-off-by: Ram Pai
[ cclaudio: Update the commit message ]
Signed-off-by: Claudio Carvalho
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/reg.h
switching to secure mode.
Signed-off-by: Ram Pai
[ andmike: Generate an RTAS os-term hcall when the ESM ucall fails. ]
Signed-off-by: Michael Anderson
[ bauerman: Cleaned up the code a bit. ]
Signed-off-by: Thiago Jung Bauermann
---
.../admin-guide/kernel-parameters.txt | 5 +
arch/power
. For that reason, the ucall.S file is placed under
arch/powerpc/kernel.
If ultravisor is not enabled, the ucalls will be redirected to the
hypervisor which must handle/fail the call.
Thanks to inputs from Ram Pai and Michael Anderson.
Signed-off-by: Claudio Carvalho
Signed-off-by: Thiago Jung
here.
Introduce helper is_svm_platform() which uses the S bit of the MSR to tell
whether we're running as a secure guest.
Signed-off-by: Anshuman Khandual
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/svm.h | 26
arch/powerpc/kernel/paca.c | 43
ng a new kernel
Ryan Grimm (2):
powerpc/pseries/svm: Export guest SVM status to user space via sysfs
powerpc/configs: Enable secure guest support in pseries and ppc64
defconfigs
Sukadev Bhattiprolu (3):
powerpc: Introduce the MSR_S bit
powerpc/pseries/svm: Disable doorbells in SVM gue
Introduce CONFIG_PPC_SVM to control support for secure guests and include
Ultravisor-related helpers when it is selected
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/asm-prototypes.h | 2 +-
arch/powerpc/kernel/Makefile | 4 +++-
arch/powerpc/platforms
-by: Ryan Grimm
Signed-off-by: Thiago Jung Bauermann
---
.../ABI/testing/sysfs-devices-system-cpu | 10 ++
arch/powerpc/kernel/sysfs.c | 20 +++
2 files changed, 30 insertions(+)
diff --git a/Documentation/ABI/testing/sysfs-devices-system-cpu
b
Pai and Michael Anderson.
Signed-off-by: Sukadev Bhattiprolu
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/platforms/pseries/smp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/platforms/pseries/smp.c
b/arch/powerpc/platforms/pseries/smp.c
index
into the
ARCH_HAS_MEM_ENCRYPT hooks and call swiotlb_update_mem_attributes() to
convert SWIOTLB's memory pool to shared memory.
Signed-off-by: Anshuman Khandual
[ bauerman: Use ARCH_HAS_MEM_ENCRYPT hooks to share swiotlb memory pool. ]
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/mem_encrypt.h | 26
From: Anshuman Khandual
Secure guests need to share the DTL buffers with the hypervisor. To that
end, use a kmem_cache constructor which converts the underlying buddy
allocated SLUB cache pages into shared memory.
Signed-off-by: Anshuman Khandual
Signed-off-by: Thiago Jung Bauermann
---
arch
Secure guest memory is inacessible to devices so regular DMA isn't
possible.
In that case set devices' dma_map_ops to NULL so that the generic
DMA code path will use SWIOTLB to bounce buffers for DMA.
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/platforms/pseries/iommu.c | 11
From: Ryan Grimm
Enables running as a secure guest in platforms with an Ultravisor.
Signed-off-by: Ryan Grimm
Signed-off-by: Ram Pai
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/configs/ppc64_defconfig | 1 +
arch/powerpc/configs/pseries_defconfig | 1 +
2 files changed, 2
-by: Claudio Carvalho
Signed-off-by: Thiago Jung Bauermann
---
Documentation/powerpc/ultravisor.rst | 1055 ++
1 file changed, 1055 insertions(+)
diff --git a/Documentation/powerpc/ultravisor.rst
b/Documentation/powerpc/ultravisor.rst
new file mode 100644
index
Hello Christoph,
Thanks for your review.
Christoph Hellwig writes:
> On Tue, Aug 06, 2019 at 02:22:34AM -0300, Thiago Jung Bauermann wrote:
>> @@ -1318,7 +1319,10 @@ void iommu_init_early_pSeries(void)
>> of_reconfig_notifier_register(_reconfig_nb);
>> reg
Michael Ellerman writes:
> Thiago Jung Bauermann writes:
>> Michael Ellerman writes:
>>> Thiago Jung Bauermann writes:
>>>> From: Ryan Grimm
>>>> User space might want to know it's running in a secure VM. It can't do
>>>
Michael Ellerman writes:
> Thiago Jung Bauermann writes:
>> Michael Ellerman writes:
>>> Thiago Jung Bauermann writes:
>>>> From: Anshuman Khandual
>>>>
>>>> LPPACA structures need to be shared with the host. Hence they need to be i
Hello,
Thiago Jung Bauermann writes:
> This series enables Secure Virtual Machines (SVMs) on powerpc. SVMs use the
> Protected Execution Facility (PEF) and request to be migrated to secure
> memory during prom_init() so by default all of their memory is inaccessible
> to th
() is still duplicated in generic code and powerpc
code. It's a small and simple function though, so not really a problem.
I think you'll need to move over remove_ima_buffer() if you agree with
the comment I'll make on patch 3, in which case the powerpc-specific
do_get_kexec_buffer() can be r
ava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
> Reported-by: kernel test robot warning: no previous
> prototype for 'arch_ima_add_kexec_buffer' [-Wmissing-prototypes]
Reviewed-by: Thiago Jung Bauermann
--
Thiago Jung Bauermann
IBM Linux Technology Center
remove any existing
FDT_PROP_IMA_KEXEC_BUFFER property and also its corresponding memory
reservation, so that you avoid accumulating stale memory reservations
for non-existing IMA kexec buffers from previous kexecs.
--
Thiago Jung Bauermann
IBM Linux Technology Center
of memblock_alloc_low().
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/svm.h | 4
arch/powerpc/mm/mem.c| 6 +-
arch/powerpc/platforms/pseries/svm.c | 26 ++
3 files changed, 35 insertions(+), 1 deletion(-)
Changes from v2
Christoph Hellwig writes:
> On Tue, Aug 18, 2020 at 07:11:26PM -0300, Thiago Jung Bauermann wrote:
>> POWER secure guests (i.e., guests which use the Protection Execution
>> Facility) need to use SWIOTLB to be able to do I/O with the hypervisor, but
>> they don't ne
Konrad Rzeszutek Wilk writes:
> On Tue, Aug 18, 2020 at 07:11:26PM -0300, Thiago Jung Bauermann wrote:
>> POWER secure guests (i.e., guests which use the Protection Execution
>> Facility) need to use SWIOTLB to be able to do I/O with the hypervisor, but
>> they don't ne
of memblock_alloc_low().
We also need to add swiotlb_set_no_iotlb_memory() in order to set the
no_iotlb_memory flag if initialization fails.
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/svm.h | 4
arch/powerpc/mm/mem.c| 6 +-
arch/powerpc/platforms
Hello Christoph,
Christoph Hellwig writes:
> On Sat, Aug 15, 2020 at 05:45:36PM -0300, Thiago Jung Bauermann wrote:
>> POWER secure guests (i.e., guests which use the Protection Execution
>> Facility) need to use SWIOTLB to be able to do I/O with the hypervisor, but
>
Christoph Hellwig writes:
> On Mon, Aug 17, 2020 at 06:46:58PM -0300, Thiago Jung Bauermann wrote:
>> POWER secure guests (i.e., guests which use the Protection Execution
>> Facility) need to use SWIOTLB to be able to do I/O with the hypervisor, but
>> they don't ne
ava
> Signed-off-by: Prakhar Srivastava
> Signed-off-by: Lakshmi Ramasubramanian
Reviewed-by: Thiago Jung Bauermann
IMHO this patch and the next one can be squashed together. Also, a minor
comment below.
> ---
> arch/arm64/include/asm/ima.h | 17 +
>
rwise nothing stops the new kernel from stomping
over it. E.g., powerpc does:
ret = fdt_add_mem_rsv(fdt, image->arch.ima_buffer_addr,
image->arch.ima_buffer_size);
--
Thiago Jung Bauermann
IBM Linux Technology Center
initialization problem we are seeing in secure guests
with 128 GB of RAM: they are configured with 4 GB of crashkernel reserved
memory, which leaves no space for SWIOTLB in low addresses.
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/mm/mem.c | 7 ++-
include/linux/swiotlb.h | 8
Christoph Hellwig writes:
> On Thu, Jan 28, 2021 at 05:50:56PM -0300, Thiago Jung Bauermann wrote:
>> > struct module *find_module(const char *name)
>> > {
>> > - module_assert_mutex();
>>
>> Does it make sense to replace the asse
len,
>
> struct module *find_module(const char *name)
> {
> - module_assert_mutex();
Does it make sense to replace the assert above with the warn below (untested)?
RCU_LOCKDEP_WARN(rcu_read_lock_sched_held());
> return find_module_all(name, strlen(name), false);
&g
Joe Perches writes:
> On Thu, 2021-01-28 at 00:52 -0300, Thiago Jung Bauermann wrote:
>> The problem is that this patch implements only part of the suggestion,
>> which isn't useful in itself. So the patch series should either drop
>> this patch or consolidate the F
Konrad Rzeszutek Wilk writes:
> On Fri, Jan 08, 2021 at 09:27:01PM -0300, Thiago Jung Bauermann wrote:
>>
>> Ram Pai writes:
>>
>> > On Wed, Dec 23, 2020 at 09:06:01PM -0300, Thiago Jung Bauermann wrote:
>> >>
>> >> Hi Ram,
>> >
Mike Rapoport writes:
> On Sat, Jan 23, 2021 at 06:09:11PM -0800, Andrew Morton wrote:
>> On Fri, 22 Jan 2021 01:37:14 -0300 Thiago Jung Bauermann
>> wrote:
>>
>> > Mike Rapoport writes:
>> >
>> > > > Signed-off-by: Rom
Lakshmi Ramasubramanian writes:
> On 1/27/21 7:52 PM, Thiago Jung Bauermann wrote:
>> Will Deacon writes:
>>
>>> On Wed, Jan 27, 2021 at 09:59:38AM -0800, Lakshmi Ramasubramanian wrote:
>>>> On 1/27/21 8:52 AM, Will Deacon wrote:
>>>>
>&g
suggestion by Rob Herring:
> This could be taken a step further and do the allocation of the new
> FDT. The difference is arm64 uses vmalloc and powerpc uses kmalloc. The
> arm64 version also retries with a bigger allocation. That seems
> unnecessary.
in
https://lore.kernel.org/linux-integrity/20201211221006.1052453-3-r...@kernel.org/
The problem is that this patch implements only part of the suggestion,
which isn't useful in itself. So the patch series should either drop
this patch or consolidate the FDT allocation between the arches.
I just tested on powernv and pseries platforms and powerpc can use
vmalloc for the FDT buffer.
--
Thiago Jung Bauermann
IBM Linux Technology Center
Michael S. Tsirkin writes:
> On Mon, Jul 15, 2019 at 05:29:06PM -0300, Thiago Jung Bauermann wrote:
>>
>> Michael S. Tsirkin writes:
>>
>> > On Sun, Jul 14, 2019 at 02:51:18AM -0300, Thiago Jung Bauermann wrote:
>> >>
>> >>
>> &g
Michael S. Tsirkin writes:
> On Mon, Jul 15, 2019 at 07:03:03PM -0300, Thiago Jung Bauermann wrote:
>>
>> Michael S. Tsirkin writes:
>>
>> > On Mon, Jul 15, 2019 at 05:29:06PM -0300, Thiago Jung Bauermann wrote:
>> >>
>> >> Michael
.
Fixes: 6a9c930bd775 ("powerpc/prom_init: Add the ESM call to prom_init")
Signed-off-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/elf.h | 3 +++
arch/powerpc/kernel/prom_init.c| 11 +++
arch/powerpc/kernel/prom_init_check.sh | 3 ++-
3 files c
Thiago Jung Bauermann writes:
> The ultravisor will do an integrity check of the kernel image but we
> relocated it so the check will fail. Restore the original image by
> relocating it back to the kernel virtual base address.
>
> This works because during build vm
trd. Such a
> support exits only in powerpc.
> This patch makes the carry over of logs architecture independent and puts the
> complexity in a driver.
If I'm not mistaken, the code at arch/powerpc/kexec/ima.c isn't actually
powerpc-specific. It could be moved to an arch-independent directory and
used by any other architecture which supports device trees.
I think that's the simplest way forward. And to be honest I'm still
trying to understand why you didn't take that approach. Did you try it
and hit some obstacle or noticed a disadvantage for your use case?
--
Thiago Jung Bauermann
IBM Linux Technology Center
these tests
separately from the one coming from x86 so here they are.
Thiago Jung Bauermann (2):
selftests/powerpc: Add ptrace tests for Protection Key registers
selftests/powerpc: Add core file test for Protection Key registers
tools/testing/selftests/powerpc/include/reg.h | 1 +
tools
This test verifies that the AMR, IAMR and UAMOR are being written to a
process' core file.
Signed-off-by: Thiago Jung Bauermann
---
tools/testing/selftests/powerpc/ptrace/Makefile| 5 +-
tools/testing/selftests/powerpc/ptrace/core-pkey.c | 460 +
2 files changed, 464
This test exercises read and write access to the AMR, IAMR and UAMOR.
Signed-off-by: Thiago Jung Bauermann
---
tools/testing/selftests/powerpc/include/reg.h | 1 +
tools/testing/selftests/powerpc/ptrace/Makefile| 5 +-
tools/testing/selftests/powerpc/ptrace/child.h | 130
powerpc and s390 are going to use this feature as well, so put it in a
generic location.
Signed-off-by: Thiago Jung Bauermann
---
arch/Kconfig | 3 +++
arch/x86/Kconfig | 4 +---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/Kconfig b/arch/Kconfig
index c47b328eada0
, other architectures will have different names so
this gets unwieldy quickly.
Signed-off-by: Thiago Jung Bauermann
---
arch/x86/Kconfig | 1 +
arch/x86/include/asm/dma-mapping.h | 7 +++
arch/x86/include/asm/mem_encrypt.h | 10 ++
include/linux/mem_encrypt.h
501 - 600 of 1092 matches
Mail list logo